DBIR: Nine Distinct Patterns Account for Majority of Attacks

Analysis provided in the newly released 2014 Data Breach Investigations Report (DBIR) from Verizon indicate that the vast majority of attacks, some 92% of the 100,000 security incidents examined, follow one of nine distinct methodology patterns that vary based on the targeted industry.

The DBIR identified the nine threat patterns as being:

Miscellaneous errors such as sending an e-mail to the wrong person

Crimeware (various malware aimed at gaining control of systems)

Insider/privilege misuse

Physical theft/loss

Web application attacks

Denial of service (DoS) attacks

Cyberespionage

Point-of-sale (PoS) intrusions

Payment card skimming

“After analyzing 10 years of data, we realize most organizations cannot keep up with cybercrime – and the bad guys are winning,” said Wade Baker, principal author of the DBIR series. “But by applying big data analytics to security risk management, we can begin to bend the curve and combat cybercrime more effectively and strategically.

“Organizations need to realize no one is immune from a data breach. Compounding this issue is the fact that it is taking longer to identify compromises within an organization – often weeks or months, while penetrating an organization can take minutes or hours,” Baker continued.

Other key findings in the DBIR include:

Cyberespionage is up again in the 2014 report, representing a more than three-fold increase compared with the 2013 report, with 511 incidents. (This is partially due to a bigger dataset.) In addition, these attacks were found to be the most complex and diverse, with a long list of threat patterns . As it did last year, China still leads as the site of the most cyberespionage activity; but the other regions of the world are represented, including Eastern Europe, with more than 20 percent.

For the first time, the report examines distributed denial of service attacks, which are attacks intended to compromise the availability of networks and systems so that, for example, a website is rendered useless. They are common to the financial services, retail, professional, information and public sector industries. The report points out that DDoS attacks have grown stronger year-over-year for the past three years.

The use of stolen and/or misused credentials (user name/passwords) continues to be the No. 1 way to gain access to information. Two out of three breaches exploit weak or stolen passwords, making a case for strong two-factor authentication.

Retail point-of-sale (POS) attacks continue to trend downward, exhibiting the same trend since 2011. Industries commonly hit by POS intrusions are restaurants, hotels, grocery stores and other brick-and-mortar retailers, where intruders attempt to capture payment card data. While POS breaches have been in the headlines lately, they are not indicative of the actual picture of cybercrime.

While external attacks still outweigh insider attacks, insider attacks are up, especially with regard to stolen intellectual property. The report points out that 85 percent of insider and privilege-abuse attacks used the corporate LAN, and 22 percent took advantage of physical access.

After a quick review of the DBIR, Tripwire’s CTO Dwayne Melancon said a couple of things really stand out in the report.

“First… it seems that servers are more popular than ever as attack targets. This is interesting, particularly when compared to the decline in User Device breaches. Are we getting better at security BYOD, or have attackers just realized there is more of what they are after on a server?” Melancon wrote.

“I would guess ‘density of lucrative assets per device. factors into this trend. Regardless of the driver, I think this is a good reminder to focus on the assets that could most harm your business and making sure they are secure. Know what you have, know how it’s vulnerable, configure it securely, and continuously monitor it to ensure it isn’t compromised and remains secure.”